A Google Forms editor invitation arrived at a multinational law firm with full authentication. SPF passed. DKIM passed. DMARC passed. Every link pointed to docs.google[.]com or accounts.google[.]com. Google's own infrastructure delivered the message. There was nothing for a secure email gateway to block.
The sender's display name matched the recipient's name. That was not a coincidence.
The email originated from george23fx@gmail[.]com and was delivered through mail-qv1-xf48.google[.]com over IPv6 (2607:f8b0:4864:20::f48). SPF passed because Google's servers are authorized senders for gmail[.]com. DKIM passed under Google's signing keys. DMARC aligned. Composite authentication returned reason=100, the highest trust score. The Return-Path used a VERP-encoded address under doclist.bounces.google[.]com, consistent with legitimate Google Forms sharing notifications.
This is the same authentication profile that every real Google Forms invitation carries. A gateway evaluating sender reputation, domain age, and authentication results would see a trusted platform delivering a routine document sharing notification.
The form's subject was in Hebrew, referencing a survey about apartment ownership status for property tax rights. The content was regionally specific, crafted to appear relevant to the target's professional context in real estate law.
The links in the email were not standard view-only form URLs. They used /edit?invite= parameters, which grant editor privileges to the form without requiring the recipient to sign in to a Google account. Editor access means the recipient (or anyone with the link) can view all submitted responses, modify form questions, and alter the form structure. This turns a survey invitation into a potential data exfiltration vector. If other recipients have already submitted sensitive information, the editor link exposes it.
The Gmail account display name matched the recipient's name at the law firm. The attacker registered george23fx@gmail[.]com, set the display name to match, and sent the form invitation to the corresponding corporate email address. When the notification arrived, the recipient saw their own name as the sender, delivered by Google, with a phishing pretext aligned with their professional domain.
This is deliberate targeting, not opportunistic spam. The name match increases the probability of engagement by creating a false sense of familiarity. It also complicates triage, because the recipient may assume they shared the form with themselves or that a colleague with a similar name initiated the request.
Themis, the IRONSCALES Adaptive AI engine, flagged this message at 50% confidence. The community intelligence layer provided higher confidence based on resolutions of similar incidents across the platform. The combination of a first-time sender, name-matching anomaly between sender and recipient, editor-level permissions in the sharing link, and a regionally targeted pretext are behavioral signals that authentication alone cannot evaluate. These patterns reveal intent at the social engineering layer, not the infrastructure layer.
Authentication confirmed Google sent this email. It did not confirm who created the form or why they targeted this specific recipient.
See Your Risk: Calculate how many threats your SEG is missing
| Type | Indicator | Context |
|---|---|---|
| Sender Email | george23fx@gmail[.]com | Gmail account with name-matching display name |
| Sending Infrastructure | mail-qv1-xf48.google[.]com | Google mail server, IPv6 delivery |
| Sending IP | 2607:f8b0:4864:20::f48 | Google IPv6 address |
| Return-Path | VERP-encoded doclist.bounces.google[.]com | Google Forms bounce handling |
| Form Links | docs.google[.]com/forms/d/.../edit?invite= | Editor-level access, no sign-in required |
| Additional Links | accounts.google[.]com login pages | Google account sign-in |
| Subject Language | Hebrew (property tax survey) | Regionally targeted pretext |
| Authentication | SPF=pass, DKIM=pass (gmail[.]com), DMARC=pass, compauth=100 | Full Google authentication |
| SCL | 1 | Low spam confidence |
| Technique | ID | Relevance |
|---|---|---|
| Phishing: Spearphishing Link | T1566.002 | Google Forms editor link as delivery vector |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Sender display name matched recipient's real name |
| Phishing for Information: Spearphishing Link | T1598.003 | Property tax survey designed to harvest personal and financial data |
| Attack | What happened |
|---|---|
| The FedEx Email That Salesforce Authenticated and Qualtrics Delivered: Data Harvesting Through Three Layers of Trust | A FedEx email sent through Salesforce MTA passed SPF, DKIM, and DMARC. |
| The Subdomain That Fused Two Trusted Brands Into One Convincing Lie | Attackers fused two real brand names into a single subdomain, routed the message through Zix infrastructure to inherit enterprise authentication. |
| An Employment Verification Request That Passed DMARC REJECT, Then Sent Replies to Someone Else | A credential harvesting email impersonated InformData, a real background check company, passing SPF, DKIM, and DMARC at REJECT enforcement via SendGrid. |
| The Zoho Sign Request That Passed Every Check Except the Reply-To: Government Impersonation via E-Sign Infrastructure | A Zoho Sign document request passed SPF, DKIM, DMARC, and ARC. |
| The PayPal Invoice That Passed Every Check Because PayPal Actually Sent It | A canceled PayPal invoice for $50 arrived with perfect SPF, DKIM, and DMARC authentication because PayPal's own infrastructure sent it. |